Re: rules of engagement scope

[mr.nasty () ix netcom com]

Ivan Arce is correct.

"The original author (Mr. Nasty) equated defining the scope of a penetration test to committing (or attempting to 
commit) fraud on the basis that if you define a precise scope then you are purposely leaving out things that may be 
important to the general public (I am assuming that he intended to apply that rational to  government,public service 
organization and public companies).

So you are talking about a different thing: Fraud (or is it phraud?) ommitted by the penetration tester because she 
exceed the scope of what she
was allowed to do, whereas Mr. Nasty proposed that having a scope defined by the organization subject to the test is 
somehow equivalent to fraud (if the
results of the test are not made public)"

The only rational that I can see from what Ivan's written is that he has been there. Most others have not.  That's why 
there is a complete disconnect between logic and reason.

Omar Huerra (wrote)
"I've been an auditor myself for one of the remaining big 4 (doing security assessments in support of financial audits, 
started as consultant, then Sr. consultant and finally as manager) and I'm not convinced that you perception is at all 
correct. 

If you are referring to information security people that do assessments during a financial audit (brought in by the 
auditors) then their job is definitely not what you say. They are there to support the financial auditors, not to find 
the low hanging fruit. If you want this then simply
hire a pentest team for this specific purpose. "

Hence my point that the pen test is in support of the financial statements. In a perfect world you might be able to 
establish ROE on a pen-test and feel confident to rely on the results.  As the commercial states, “we don’t live in 
Perfect”.

I don't want to deliberate on this too much more.
Since I receive information on specific audit requirements here is the most recent from ISACA;
The Standards Board has issued the following IS Auditing Standards, which become effective for IS audits commencing 
after 1 July 2006: 
·        S12 Audit Materiality
·        S13 Using the Work of Other Experts *****
·        S14 Audit Evidence

My concerns with ROE's are defined within S13. Any big 4 or maybe big 3 now, manager should know this. Audit Managers 
are brought to the back room by the CFO or CEO presented a pentest within the past 12 months that covered dialup 
issues.  The Everyone smiles and the Audit Manager is lead out of the room with the cover letter stating that the 
pen-test performed was in conformance with all ROE.  The Audit Manager, knowing he has to cut costs or it's coming out 
of his budget, will accept the pen-test as support and reduce the confidence sample.

REALITY?  Yes.  FRAUD? With a good attorney like Ken Lay's or if your a cute Florida school teacher you just clean up 
your resume and work for the big 2.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------